Mailing List Archive: SPF: Help

Over 255 character SPF record with TinyDNS/djbdns

Index | Next | Previous | View Threaded

CSingh at lightspeedresearch

Feb 9, 2010, 10:52 AM

Post #1 of 13 (2310 views)
Permalink

Over 255 character SPF record with TinyDNS/djbdns

I am looking for help with the correct syntax for specifying a longer
than 255 characters SPF record in TinyDNS. Here is what I have right now
but it splits the result of the lookup after 127 characters:

'lightspeedaheadnewsletter.com:v=spf1 a mx ip4\07263.236.30.0/25
ip4\07266.135.41.209 ip4\072198.178.236.128/25 ip4\072198.178.239.0/24
ip4\072198.178.237.128/25 ip4\07266.139.75.197 ip4\07272.51.41.212
ip4\07269.41.163.228 ip4\072216.139.208.114 ip4\07264.34.176.174
ip4\072208.46.128.32/27 ip4\072212.240.95.144/28 ip4\072134.159.111.26
ip4\072207.126.144.0/20 -all:3600

'ewr-mx01.lightspeedresearch.com:v=spf1 a -all:3600

'ewr-mx03.lightspeedresearch.com:v=spf1 a -all:3600

Regards,

Charan

This email is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email by mistake, please delete it from your system immediately and notify the sender. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Feb 9, 2010, 11:21 AM

Post #2 of 13 (2219 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

On Tue, Feb 9, 2010 at 18:52, <CSingh [at] lightspeedresearch> wrote:
> I am looking for help with the correct syntax for specifying a longer
> than 255 characters SPF record in TinyDNS. Here is what I have right now
> but it splits the result of the lookup after 127 characters:

The correct approach is to use the include: tag, as specified in
http://www.openspf.org/SPF_Record_Syntax. Just ensure you watch the
number of DNS lookups - there's a limit of 10 and each include will
use one, A will use 2 and MX will use at least 3.

You should also list the IP addresses first and where possible break
the A and MX records down - since your current MX and A records are
covered by the IP ranges listed you can simply remove them.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

aaron.m at gogvo

Feb 9, 2010, 3:44 PM

Post #3 of 13 (2195 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

I had these very same questions, and my ultimate question is there a
tool that will allow full SPF testing with includes?

I have not found one yet that works

ex: I am sending mail from mydomainname.com to my smtp servers and
those servers sv1.domainname.com are making the actual delivery to the
destination address the spf record is "v=spf1
include:spf1.domainname.com include:spf2.domainname.com -all"

and the record for spf1 14400 IN TXT "v=spf1 ip4:xxx.xxx.xxx.xxx/29
ip4:xxx.xxx.xxx.xx1/29 etc....

I want to be able to see full validation with this type of spf setup and
something that can test it. Just about everyone out there tells me to
go to dnsreport or mxtoolbox but none of these seems to fully check
includes so i get a fail.....

Any assistance would be helpful
-Aaron

On 2/9/2010 12:52 PM, CSingh [at] lightspeedresearch wrote:
> I am looking for help with the correct syntax for specifying a longer
> than 255 characters SPF record in TinyDNS. Here is what I have right now
> but it splits the result of the lookup after 127 characters:
>
>
>
> 'lightspeedaheadnewsletter.com:v=spf1 a mx ip4\07263.236.30.0/25
> ip4\07266.135.41.209 ip4\072198.178.236.128/25 ip4\072198.178.239.0/24
> ip4\072198.178.237.128/25 ip4\07266.139.75.197 ip4\07272.51.41.212
> ip4\07269.41.163.228 ip4\072216.139.208.114 ip4\07264.34.176.174
> ip4\072208.46.128.32/27 ip4\072212.240.95.144/28 ip4\072134.159.111.26
> ip4\072207.126.144.0/20 -all:3600
>
> 'ewr-mx01.lightspeedresearch.com:v=spf1 a -all:3600
>
> 'ewr-mx03.lightspeedresearch.com:v=spf1 a -all:3600
>
>
>
> Regards,
>
> Charan
>
>
> This email is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email by mistake, please delete it from your system immediately and notify the sender. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission.
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

mengwong at gmail

Feb 9, 2010, 4:07 PM

Post #4 of 13 (2214 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

On Feb 10, 2010, at 7:44 AM, Aaron Moon wrote:
> I had these very same questions, and my ultimate question is there a tool that will allow full SPF testing with includes?
>
> I want to be able to see full validation with this type of spf setup and something that can test it. Just about everyone out there tells me to go to dnsreport or mxtoolbox but none of these seems to fully check includes so i get a fail.....

why not send a message to a gmail account and check the headers?

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Feb 9, 2010, 5:14 PM

Post #5 of 13 (2249 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

At 18:52 09/02/2010 Tuesday, CSingh [at] lightspeedresearch wrote:
>I am looking for help with the correct syntax for specifying a longer
>than 255 characters SPF record in TinyDNS. Here is what I have right now
>but it splits the result of the lookup after 127 characters:

no idea Re the dns server make/model but to ensure a record {longer than fits in 1 udp dns packet {no idea if 255 is the limit}} {from your tests i'd suspect 127 seems to be the limit} {from memory the bytelength available for reply will depend on the length of the domain in the query too as the queryname is part of the reply packet}

you first write your record as you would want it

ie ips first them if needed A then ONLY if really needed mx etc {cheapest/quickest matches first}

ie v=spf1 ip4:xx.xx.xx.xx ip4: a:blah.domain.com etc mx:domains include:spfrecord -all
then select domain for second part of spf record such as _part2.domain.com {underscore denotes non-hostname}

then make first record
v=spf1 {whatever-you-can-fit-here} include:_part2.%{d2} -all

ensuring the total length is lower than {maximum successfully returned length, 255/128/whatever}
remember you must have the v=spf1 and the - ~ ? all {as the all part is only evaluated after the includes and is the one that actually has an effect on non-matches}
also the %{d2} is shorter dns reply wise than domainname.com if its domain.co.uk make it %{d3}

then record _part2 if its still too large should continue the trend

v=spf1 {whatever-you-can-fit-here} include:_part3.%{d2} -all
remember you must have the v=spf1 and the - ~ ? all
even though the -all in an include will have negligable effect it just causes a return to previous record to continue processing

but this chaining means for most mails 1 lookup finds a match {your most busy ips were at the front of the list}
for some 2 lookups find a match
for some 3 lookup

for all fails all 3 lookups are done before a fail is declared

>
>
>'lightspeedaheadnewsletter.com:v=spf1 a mx ip4\07263.236.30.0/25
>ip4\07266.135.41.209 ip4\072198.178.236.128/25 ip4\072198.178.239.0/24
>ip4\072198.178.237.128/25 ip4\07266.139.75.197 ip4\07272.51.41.212
>ip4\07269.41.163.228 ip4\072216.139.208.114 ip4\07264.34.176.174
>ip4\072208.46.128.32/27 ip4\072212.240.95.144/28 ip4\072134.159.111.26
>ip4\072207.126.144.0/20 -all:3600
>
>'ewr-mx01.lightspeedresearch.com:v=spf1 a -all:3600
>
>'ewr-mx03.lightspeedresearch.com:v=spf1 a -all:3600
>
>
>
>Regards,
>
>Charan
>
>
>This email is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email by mistake, please delete it from your system immediately and notify the sender. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission.
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Feb 9, 2010, 5:21 PM

Post #6 of 13 (2201 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

At 23:44 09/02/2010 Tuesday, Aaron Moon wrote:
>I had these very same questions, and my ultimate question is there a tool that will allow full SPF testing with includes?
>
>I have not found one yet that works

the command line tool is what i suspect most people use
{if fed with a properly non-matching ip it should walk the length of your includes and return the fail properly or syntax error if it has issues with your syntax}

spfquery
Preferred Usage:
spfquery [--versions|-v 1|2|1,2] [--scope|-s helo|mfrom|pra]
--identity|--id <identity> --ip-address|--ip <ip-address>
[--helo-identity|--helo-id <helo-identity>] [OPTIONS]
spfquery [--versions|-v 1|2|1,2] [--scope|-s helo|mfrom|pra]
--file|-f <filename>|- [OPTIONS]

Legacy Usage:
spfquery --helo <helo-identity> --ip-address|--ip <ip-address> [OPTIONS]
spfquery --mfrom <mfrom-identity> --ip-address|--ip <ip-address>
[--helo <helo-identity>] [OPTIONS]
spfquery --pra <pra-identity> --ip-address|--ip <ip-address> [OPTIONS]

Other Usage:
spfquery --version|-V

See `spfquery --help` for more information.

>ex: I am sending mail from mydomainname.com to my smtp servers and those servers sv1.domainname.com are making the actual delivery to the destination address the spf record is "v=spf1 include:spf1.domainname.com include:spf2.domainname.com -all"

kinda useless info without the correct domain names so we could look/see possibly identify the syntax error

but i would suggest domains for spf or other non hostname use should use the {illegal for hostnames} syntax of _spfx.domainname.com
just because it keeps dns tidier

>and the record for spf1 14400 IN TXT "v=spf1 ip4:xxx.xxx.xxx.xxx/29 ip4:xxx.xxx.xxx.xx1/29 etc....
>
>I want to be able to see full validation with this type of spf setup and something that can test it. Just about everyone out there tells me to go to dnsreport or mxtoolbox but none of these seems to fully check includes so i get a fail.....
>
>Any assistance would be helpful
>-Aaron
>
>
>On 2/9/2010 12:52 PM, CSingh [at] lightspeedresearch wrote:
>>I am looking for help with the correct syntax for specifying a longer
>>than 255 characters SPF record in TinyDNS. Here is what I have right now
>>but it splits the result of the lookup after 127 characters:
>>
>>
>>
>>'lightspeedaheadnewsletter.com:v=spf1 a mx ip4\07263.236.30.0/25
>>ip4\07266.135.41.209 ip4\072198.178.236.128/25 ip4\072198.178.239.0/24
>>ip4\072198.178.237.128/25 ip4\07266.139.75.197 ip4\07272.51.41.212
>>ip4\07269.41.163.228 ip4\072216.139.208.114 ip4\07264.34.176.174
>>ip4\072208.46.128.32/27 ip4\072212.240.95.144/28 ip4\072134.159.111.26
>>ip4\072207.126.144.0/20 -all:3600
>>
>>'ewr-mx01.lightspeedresearch.com:v=spf1 a -all:3600
>>
>>'ewr-mx03.lightspeedresearch.com:v=spf1 a -all:3600
>>
>>
>>
>>Regards,
>>
>>Charan
>>
>>
>>This email is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email by mistake, please delete it from your system immediately and notify the sender. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission.
>>
>>
>>
>>-------------------------------------------
>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: https://www.listbox.com/member/archive/1020/=now
>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>Powered by Listbox: http://www.listbox.com
>>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Feb 9, 2010, 6:08 PM

Post #7 of 13 (2197 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

At 00:07 10/02/2010 Wednesday, Meng Weng Wong wrote:
>On Feb 10, 2010, at 7:44 AM, Aaron Moon wrote:
>> I had these very same questions, and my ultimate question is there a tool that will allow full SPF testing with includes?
>>
>> I want to be able to see full validation with this type of spf setup and something that can test it. Just about everyone out there tells me to go to dnsreport or mxtoolbox but none of these seems to fully check includes so i get a fail.....
>
>why not send a message to a gmail account and check the headers?

as a pass result only checks the syntax as far as the matching argument
{only a fail result causes the spf parser to get to the -all at the end}

spfquery -v 1 -s mfrom -id blah [at] domain -ip 10.10.10.10

where address is one that exists
and ip is one that should fail

another cause of failure [on these test websites] might be not having setup spf record[s] for the helo-identit(y|ies) used by your MTA['s]

>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

scott at kitterman

Feb 10, 2010, 12:23 AM

Post #8 of 13 (2183 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

Try http://www.kitterman.com/spf/validate.HTML

Scott K

"Aaron Moon" <aaron.m [at] gogvo> wrote:

>I had these very same questions, and my ultimate question is there a
>tool that will allow full SPF testing with includes?
>
>I have not found one yet that works
>
>ex: I am sending mail from mydomainname.com to my smtp servers and
>those servers sv1.domainname.com are making the actual delivery to the
>destination address the spf record is "v=spf1
>include:spf1.domainname.com include:spf2.domainname.com -all"
>
>and the record for spf1 14400 IN TXT "v=spf1 ip4:xxx.xxx.xxx.xxx/29
>ip4:xxx.xxx.xxx.xx1/29 etc....
>
>I want to be able to see full validation with this type of spf setup and
>something that can test it. Just about everyone out there tells me to
>go to dnsreport or mxtoolbox but none of these seems to fully check
>includes so i get a fail.....
>
>Any assistance would be helpful
>-Aaron
>
>
>On 2/9/2010 12:52 PM, CSingh [at] lightspeedresearch wrote:
>> I am looking for help with the correct syntax for specifying a longer
>> than 255 characters SPF record in TinyDNS. Here is what I have right now
>> but it splits the result of the lookup after 127 characters:
>>
>>
>>
>> 'lightspeedaheadnewsletter.com:v=spf1 a mx ip4\07263.236.30.0/25
>> ip4\07266.135.41.209 ip4\072198.178.236.128/25 ip4\072198.178.239.0/24
>> ip4\072198.178.237.128/25 ip4\07266.139.75.197 ip4\07272.51.41.212
>> ip4\07269.41.163.228 ip4\072216.139.208.114 ip4\07264.34.176.174
>> ip4\072208.46.128.32/27 ip4\072212.240.95.144/28 ip4\072134.159.111.26
>> ip4\072207.126.144.0/20 -all:3600
>>
>> 'ewr-mx01.lightspeedresearch.com:v=spf1 a -all:3600
>>
>> 'ewr-mx03.lightspeedresearch.com:v=spf1 a -all:3600
>>
>>
>>
>> Regards,
>>
>> Charan
>>
>>
>> This email is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email by mistake, please delete it from your system immediately and notify the sender. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission.
>>
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

hannah at schlund

Feb 10, 2010, 3:51 AM

Post #9 of 13 (2200 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

Hi!

On Tue, Feb 09, 2010 at 12:52:47PM -0600, CSingh [at] lightspeedresearch wrote:
>'lightspeedaheadnewsletter.com:...

When I lookup that DNS record with dig, it looks correct. It is *one*
TXT record with three character-strings; the first two character-strings
are 127 characters long, the last one is 40 characters long. The SPF RFC
says the character strings in *one* TXT records are to be treated as
their concatenation (so one may "break" it up at any position, not only
between syntactic elements!), and if I look at the record thusly, it
seems to be okay.

;; ANSWER SECTION:
lightspeedaheadnewsletter.com. 3600 IN TXT "v=spf1 a mx ip4:63.236.30.0/25 ip4:66.135.41.209 ip4:198.178.236.128/25 ip4:198.178.239.0/24 ip4:198.178.237.128/25 ip4:66.139." "75.197 ip4:72.51.41.212 ip4:69.41.163.228 ip4:216.139.208.114 ip4:64.34.176.174 ip4:208.46.128.32/27 ip4:212.240.95.144/28 ip4:" "134.159.111.26 ip4:207.126.144.0/20 -all"

Concatenate, so you get:

"v=spf1 a mx ip4:63.236.30.0/25 ip4:66.135.41.209 ip4:198.178.236.128/25 ip4:198.178.239.0/24 ip4:198.178.237.128/25 ip4:66.139.75.197 ip4:72.51.41.212 ip4:69.41.163.228 ip4:216.139.208.114 ip4:64.34.176.174 ip4:208.46.128.32/27 ip4:212.240.95.144/28 ip4:134.159.111.26 ip4:207.126.144.0/20 -all"

That's it.

Btw, you could leave out "a", because the A record (63.236.30.53)
is actually already encompassed in ip4:63.236.30.0/25.

The same for MX:

lightspeedaheadnewsletter.com mail is handled by 20 ewr-mx03.lightspeedresearch.com.
lightspeedaheadnewsletter.com mail is handled by 10 ewr-mx01.lightspeedresearch.com.
ewr-mx03.lightspeedresearch.com has address 63.236.30.65
ewr-mx01.lightspeedresearch.com has address 63.236.30.61

Also encompassed in ip4:63.236.30.0/25.

Would save the receivers some (4) DNS lookups. Then, you could check
whether your site *really* uses all the named IP addresses/address
blocks to send mail. If not you could restrict the record more.

Kind regards,

Hannah.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

hannah at schlund

Feb 10, 2010, 3:55 AM

Post #10 of 13 (2265 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

Hi!

On Tue, Feb 09, 2010 at 07:21:59PM +0000, Rob MacGregor wrote:
>On Tue, Feb 9, 2010 at 18:52, <CSingh [at] lightspeedresearch> wrote:
>> I am looking for help with the correct syntax for specifying a longer
>> than 255 characters SPF record in TinyDNS. Here is what I have right now
>> but it splits the result of the lookup after 127 characters:

>The correct approach is to use the include: tag, as specified in
>http://www.openspf.org/SPF_Record_Syntax.

Splitting TXT into more than one character-string is supported both
by the DNS specification and by SPF (see section 3.1.3 of RFC 4408).

Are you aware of any SPF implementations that get that wrong?

(We fixed ours [actually the DNS library] quite some time ago.)

The record of the OP still fits in the default DNS-via-UDP 512 byte
limit, anyway, so that shouldn't be an issue either.

>[...]

Kind regards,

Hannah.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

aaron.m at gogvo

Feb 10, 2010, 12:44 PM

Post #11 of 13 (2190 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

I tried this and it's not very conclusive

I have server A (mail feeder)
then I have multiple smtp servers that mail is fed to
server s1, s2, s3, s4, s5, s6

mail gets sent to s1, s2, s3, s4, s5 or s6 then those servers actually
send the mail.

DNS server is using BIND 9.3.X
my spf is

gogvo.com 14400 IN TXT "v=spf1 include:spf1.gogvo.com
include:spf2.gogvo.com -all"
spf1 14400 IN TXT "v=spf1 a mx:mail.gogvo.com
mx:gogvo.com ip4:12.68.137.213 ip4:12.204.164.198 ip4:12.204.164.163
ip4:12.204.164.52/29 ip4:12.68.141.86/28 ip4:12.204.164.91/30
ip4:12.204.164.93/30 ip4:12.204.164.92/30 ip4:12.68.140.17 -all"
spf2 14400 IN TXT "v=spf1 a mx ip4:12.68.141.104
ip4:12.204.164.49 ip4:12.204.164.86/26 ip4:12.68.140.10/28
ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/27
ip4:12.68.140.16 ip4:12.68.140.18 -all"

I want to check each smtp relayer (that has one of the above IP's)

this is how i need to check it

mail generated from 12.204.164.198 is sent to the relay server and that
server (s1.gogvo.com) send the actual message)'
does it pass SPF

Your tool does not give me the information needed to know what to put in
what field

-Aaron

On 2/10/2010 2:23 AM, Scott Kitterman wrote:
> Try http://www.kitterman.com/spf/validate.HTML
>
> Scott K
>
> "Aaron Moon"<aaron.m [at] gogvo> wrote:
>
>
>> I had these very same questions, and my ultimate question is there a
>> tool that will allow full SPF testing with includes?
>>
>> I have not found one yet that works
>>
>> ex: I am sending mail from mydomainname.com to my smtp servers and
>> those servers sv1.domainname.com are making the actual delivery to the
>> destination address the spf record is "v=spf1
>> include:spf1.domainname.com include:spf2.domainname.com -all"
>>
>> and the record for spf1 14400 IN TXT "v=spf1 ip4:xxx.xxx.xxx.xxx/29
>> ip4:xxx.xxx.xxx.xx1/29 etc....
>>
>> I want to be able to see full validation with this type of spf setup and
>> something that can test it. Just about everyone out there tells me to
>> go to dnsreport or mxtoolbox but none of these seems to fully check
>> includes so i get a fail.....
>>
>> Any assistance would be helpful
>> -Aaron
>>
>>
>> On 2/9/2010 12:52 PM, CSingh [at] lightspeedresearch wrote:
>>
>>> I am looking for help with the correct syntax for specifying a longer
>>> than 255 characters SPF record in TinyDNS. Here is what I have right now
>>> but it splits the result of the lookup after 127 characters:
>>>
>>>
>>>
>>> 'lightspeedaheadnewsletter.com:v=spf1 a mx ip4\07263.236.30.0/25
>>> ip4\07266.135.41.209 ip4\072198.178.236.128/25 ip4\072198.178.239.0/24
>>> ip4\072198.178.237.128/25 ip4\07266.139.75.197 ip4\07272.51.41.212
>>> ip4\07269.41.163.228 ip4\072216.139.208.114 ip4\07264.34.176.174
>>> ip4\072208.46.128.32/27 ip4\072212.240.95.144/28 ip4\072134.159.111.26
>>> ip4\072207.126.144.0/20 -all:3600
>>>
>>> 'ewr-mx01.lightspeedresearch.com:v=spf1 a -all:3600
>>>
>>> 'ewr-mx03.lightspeedresearch.com:v=spf1 a -all:3600
>>>
>>>
>>>
>>> Regards,
>>>
>>> Charan
>>>
>>>
>>> This email is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email by mistake, please delete it from your system immediately and notify the sender. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission.
>>>
>>>
>>>
>>> -------------------------------------------
>>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>> Archives: https://www.listbox.com/member/archive/1020/=now
>>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>> Powered by Listbox: http://www.listbox.com
>>>
>>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>>
>>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Feb 10, 2010, 12:57 PM

Post #12 of 13 (2231 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

On Wed, Feb 10, 2010 at 20:44, Aaron Moon <aaron.m [at] gogvo> wrote:

> gogvo.com 14400 IN TXT "v=spf1 include:spf1.gogvo.com
> include:spf2.gogvo.com -all"
> spf1 14400 IN TXT "v=spf1 a mx:mail.gogvo.com mx:gogvo.com

Those 3 entries probably aren't what you want:

a means "gogvo.com", which is 12.204.164.198 - you already list that IP

mx:mail.gogvo.com means "The MX for mail.gogvo.com". There isn't one
- that's an error

mx:gogvo.com means "The MX for gogvo.com", which is "gogvo.com", which
is the a record

In short, you can drop those 3 entries and you'll only improve things.

> ip4:12.68.137.213 ip4:12.204.164.198 ip4:12.204.164.163 ip4:12.204.164.52/29
> ip4:12.68.141.86/28 ip4:12.204.164.91/30 ip4:12.204.164.93/30
> ip4:12.204.164.92/30 ip4:12.68.140.17 -all"
> spf2 14400 IN TXT "v=spf1 a mx ip4:12.68.141.104

And you list the a and mx again here - drop those 2.

> ip4:12.204.164.49 ip4:12.204.164.86/26 ip4:12.68.140.10/28
> ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/27
> ip4:12.68.140.16 ip4:12.68.140.18 -all"
>
> I want to check each smtp relayer (that has one of the above IP's)
>
> this is how i need to check it
>
> mail generated from 12.204.164.198 is sent to the relay server and that
> server (s1.gogvo.com) send the actual message)'
> does it pass SPF
>
> Your tool does not give me the information needed to know what to put in
> what field

For a simple check that the record is syntactically valid - put the
domain name in the top field.

For a full test as you specify, put:

The sending IP (eg the IP of s1.gogvo.com) into the field "IP Address"
The full SPF record in the "SPF record" field (v=spf1
ip4:12.68.137.213 ip4:12.204.164.198 ip4:12.204.164.163
ip4:12.204.164.52/29 ip4:12.68.141.86/28 ip4:12.204.164.91/30
ip4:12.204.164.93/30 ip4:12.204.164.92/30 ip4:12.68.140.17
ip4:12.68.141.104 ip4:12.204.164.49 ip4:12.204.164.86/26
ip4:12.68.140.10/28 ip4:12.97.188.200/29 ip4:12.97.188.208/28
ip4:12.97.188.224/27 ip4:12.68.140.16 ip4:12.68.140.18 -all)
The sending address in "Mail From"
The mail server's name (eg s1.gogvo.com) in the "HELO address"

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Feb 10, 2010, 4:34 PM

Post #13 of 13 (2203 views)
Permalink

Re: Over 255 character SPF record with TinyDNS/djbdns [In reply to]

At 20:44 10/02/2010 Wednesday, Aaron Moon wrote:
>I tried this and it's not very conclusive

I'm not sure what you are claiming to have tried and what wasn't conclusive as you havn't quoted the text of whatever mail you are replying to

>I have server A (mail feeder)

ok but irrelevant to you spf records

>then I have multiple smtp servers that mail is fed to
>server s1, s2, s3, s4, s5, s6

ok what are their ip's and helo-names {the names they use to identify themselves to the internet}

>mail gets sent to s1, s2, s3, s4, s5 or s6 then those servers actually send the mail.

so the envelope sender SPF record needs only specify these 6 servers IPs
each of the 6 servers HELO spf needs to specify only their own ip's

>DNS server is using BIND 9.3.X

pretty much irrelevant

>my spf is
>
>gogvo.com 14400 IN TXT "v=spf1 include:spf1.gogvo.com include:spf2.gogvo.com -all"
>spf1 14400 IN TXT "v=spf1 a mx:mail.gogvo.com mx:gogvo.com ip4:12.68.137.213 ip4:12.204.164.198 ip4:12.204.164.163 ip4:12.204.164.52/29 ip4:12.68.141.86/28 ip4:12.204.164.91/30 ip4:12.204.164.93/30 ip4:12.204.164.92/30 ip4:12.68.140.17 -all"
>spf2 14400 IN TXT "v=spf1 a mx ip4:12.68.141.104 ip4:12.204.164.49 ip4:12.204.164.86/26 ip4:12.68.140.10/28 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/27 ip4:12.68.140.16 ip4:12.68.140.18 -all"

ok thats the envelope-senders domain? user [at] gogvo

first always list ip4 records FIRST {as these require no other lookups to pass/fail} as rob has pointed out "a mx:mail.gogvo.com mx:gogvo.com" section is moot and a waste of time and ridiculously repeated in "a mx " in second record
so quick re-write /re-order gives us the corrected envelope-sender SPF records of

gogvo.com 14400 IN TXT "v=spf1 include:spf1.gogvo.com include:spf2.gogvo.com -all"
spf1 14400 IN TXT "v=spf1 ip4:12.68.137.213 ip4:12.68.140.17 ip4:12.68.140.16 ip4:12.68.140.18 ip4:12.68.140.10/28 ip4:12.68.141.86/28 ip4:12.68.141.104 ip4:12.97.188.200/29 ip4:12.97.188.208/28 ip4:12.97.188.224/27 -all"
spf2 14400 IN TXT "v=spf1 ip4:12.204.164.49 ip4:12.204.164.52/29 ip4:12.204.164.91/30 ip4:12.204.164.92/30 ip4:12.204.164.93/30 ip4:12.204.164.86/26 ip4:12.204.164.163 ip4:12.204.164.198 -all"

now after the re-ordering i note that ip4:12.204.164.91/30 ip4:12.204.164.92/30 ip4:12.204.164.93/30 are off
as the math is off if its a 91/30 it starts at 88 next one is at 92 {thus 93 also wrong}
so i'm guessing many of the other cidr bits are wrong also

assuming the servers Helos are sX.gogvo.com ... s1.gogvo.com has an A 12.204.164.52 but no SPF, s2.gogvo.com has neither
so each of the helo names needs the relevant A and SPF records setup

>I want to check each smtp relayer (that has one of the above IP's)
>
>this is how i need to check it
>
>mail generated from 12.204.164.198 is sent to the relay server and that server (s1.gogvo.com) send the actual message)'
>does it pass SPF

if this is the case 12.204.164.198 {as it never directly sends mail to the interne} should NOT be mentioned in your SPF records

>Your tool does not give me the information needed to know what to put in what field

the tool and SPF are only concerned with the checking of the ips that connect to MY {everyone-elses} mailservers, we do not look at previous mailserver headers in SPF as they are potentially forged and utterly untrustable

>-Aaron
>
>
>On 2/10/2010 2:23 AM, Scott Kitterman wrote:
>>Try http://www.kitterman.com/spf/validate.HTML
>>
>>Scott K
>>
>>"Aaron Moon"<aaron.m [at] gogvo> wrote:
>>
>>
>>>I had these very same questions, and my ultimate question is there a
>>>tool that will allow full SPF testing with includes?
>>>
>>>I have not found one yet that works
>>>
>>>ex: I am sending mail from mydomainname.com to my smtp servers and
>>>those servers sv1.domainname.com are making the actual delivery to the
>>>destination address the spf record is "v=spf1
>>>include:spf1.domainname.com include:spf2.domainname.com -all"
>>>
>>>and the record for spf1 14400 IN TXT "v=spf1 ip4:xxx.xxx.xxx.xxx/29
>>>ip4:xxx.xxx.xxx.xx1/29 etc....
>>>
>>>I want to be able to see full validation with this type of spf setup and
>>>something that can test it. Just about everyone out there tells me to
>>>go to dnsreport or mxtoolbox but none of these seems to fully check
>>>includes so i get a fail.....
>>>
>>>Any assistance would be helpful
>>>-Aaron
>>>
>>>
>>>On 2/9/2010 12:52 PM, CSingh [at] lightspeedresearch wrote:
>>>
>>>>I am looking for help with the correct syntax for specifying a longer
>>>>than 255 characters SPF record in TinyDNS. Here is what I have right now
>>>>but it splits the result of the lookup after 127 characters:
>>>>
>>>>
>>>>
>>>>'lightspeedaheadnewsletter.com:v=spf1 a mx ip4\07263.236.30.0/25
>>>>ip4\07266.135.41.209 ip4\072198.178.236.128/25 ip4\072198.178.239.0/24
>>>>ip4\072198.178.237.128/25 ip4\07266.139.75.197 ip4\07272.51.41.212
>>>>ip4\07269.41.163.228 ip4\072216.139.208.114 ip4\07264.34.176.174
>>>>ip4\072208.46.128.32/27 ip4\072212.240.95.144/28 ip4\072134.159.111.26
>>>>ip4\072207.126.144.0/20 -all:3600
>>>>
>>>>'ewr-mx01.lightspeedresearch.com:v=spf1 a -all:3600
>>>>
>>>>'ewr-mx03.lightspeedresearch.com:v=spf1 a -all:3600
>>>>
>>>>
>>>>
>>>>Regards,
>>>>
>>>>Charan
>>>>
>>>>
>>>>This email is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email by mistake, please delete it from your system immediately and notify the sender. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission.
>>>>
>>>>
>>>>
>>>>-------------------------------------------
>>>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>>
>>>>Archives: https://www.listbox.com/member/archive/1020/=now
>>>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>>>Powered by Listbox: http://www.listbox.com
>>>>
>>>>
>>>
>>>-------------------------------------------
>>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>>
>>>Archives: https://www.listbox.com/member/archive/1020/=now
>>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>>Powered by Listbox: http://www.listbox.com
>>>
>>>
>>
>>-------------------------------------------
>>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>>
>>Archives: https://www.listbox.com/member/archive/1020/=now
>>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>>Powered by Listbox: http://www.listbox.com
>>
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads